Ransomware Detection Based on an Improved Double-Layer Negative Selection Algorithm

The encrypting ransomware using public key cryptography is almost impossible to decrypt, so early detection and prevention is more important. Signature matching technology has low detection rate for unknown or polymorphic ransomware, and some intelligent algorithms have been proposed for solving this problem. Inspired by the Artificial Immune System (AIS), an improved double-layer negative selection algorithm (DL-NSA) was proposed which can reduce the number of holes in NSA and increase the detection rate. To obtain the behavior characteristics (e.g., files read or write, cryptography APIs call and network connection) of ransomware, a Cuckoo sandbox was built to simulate the malicious code running environment. After dynamic analysis, the behavior characteristics of ransomware were encoded to antigens. The improved double-layer negative selection algorithm has two sets of immune detectors. The first layer detectors set was generated by the original negative selection algorithm using -contiguous bits matching. The second layer detectors set was directional generated holes’ detectors using -chunk matching with variable matching threshold. Simulation result shows that comparing with NSA this algorithm can achieve high-rate space coverage for non-self, and can increase the detection rate of ransomware.